A cross-chain bridge linking Secret Network to Axelar was drained of $4.67 million in wrapped tokens after an attacker exploited a minting vulnerability that had gone undetected for seven days. Both teams disclosed the incident on June 19, confirming that the attack began on June 10 and was only discovered when a routine cross-chain transfer failed because the bridge's escrow account had been emptied.
The vulnerability resided in a modified CW20-ICS20 smart contract deployed on Secret Network for the Axelar bridge connection. Security firm Common Prefix identified that two critical validation checks had been commented out from the contract's packet-receive function: one that should have verified incoming token denominations against the legitimate source channel, and another that should have capped outflows to amounts genuinely held in escrow. The flaw dated back to the contract's initial deployment in March 2023 and survived a migration in March 2026 that updated bytecode but preserved the missing checks.
How the Attack Worked
The attacker created a single-validator Cosmos SDK chain and opened a new IBC channel to Secret Network, a process that is permissionless by design. They then self-relayed forged IBC packets carrying bare denominations that matched the bridge's allow-list. With both validation checks missing, the contract minted unbacked wrapped tokens on Secret Network, which the attacker then redeemed over the legitimate Axelar channel to drain the real escrowed assets on the other side. Secret Network's default transaction encryption obscured the growing shortfall from on-chain observers, allowing the attack to run for seven days before a failed transfer surfaced it.
Assets Drained and Response
The stolen assets included seven Axelar-wrapped tokens: saUSDT, saUSDC, saDAI, saWETH, saWBTC, saWBNB, and sawstETH. Common Prefix traced the funds through Osmosis and Ethereum. Approximately $600,000 of the drained assets had been deposited by users into Shade Protocol smart contracts, though Shade did not deploy the exploited contracts. Both teams said they are reaching out to exchanges and law enforcement, but no full post-mortem has been published as of June 22.
Responsibility and Market Impact
Axelar stated the issue was isolated to the Secret-side ICS-20 smart contract and clarified that the exploited contract was not developed, deployed, or maintained by its team. Secret Network's disclosure placed the flaw in contracts tied to the Axelar integration. Axelar's Emergency Committee disabled the bridge connections after the disclosure, and cross-chain router Squid removed Secret Network support. Secret Network's SCRT token traded at $0.0558, down 33% over 30 days and near its all-time low, while Axelar's AXL traded at $0.0426, down 29% in the same period. The bridge suspension leaves SCRT with limited cross-chain liquidity routes as investigations continue.